Regulation Comparison: LGPD vs. GDPR
It’s been a year since the the Brazilian president sanctioned the Brazilian General Data Protection Law (LGPD) in August 2018. The LGPD carries many similarities with the EU’s General Data Protection Regulation (GDPR), however, it is leaner in comparison.
The LGPD is set to come into force in August 2020 after its initial 18-month deadline was extended by an additional six months by President Michel Temer. The was uncertainty about the LGPD’s future when the same president vetoed several acts of the bill before its passing, most notably those needed to create Brazil’s data protection authority, the Autoridade Nacional de Proteção de Dados (ANPD).
However, on July 8, 2019, Brazil’s new president, Jair Bolsonaro, promulgated Law No. 13.853/2019 which amends some provisions of the LGPD and provides for the creation of the ANPD. With its data protection authority now a reality, Brazil is moving forward with the enforcement of the LGPD.
LGPD vs. GDPR
Many companies that have gone through the rush for GDPR compliance, but there are notable differences between the GDPR and the LGPD. Here are some of the main differences.
Both the GDPR and the LGPD have similar territorial scopes: they apply to all companies offering goods or services to data subjects in the EU or Brazil, regardless of where they are located.
However, the GDPR explicitly includes organizations that are not established in the EU, but that monitor the behavior of individuals located in it. The LGPD has no such provision.
Both the GDPR and LGPD qualify consent as freely given, informed and unambiguous indication of the data subjects’ agreement for processing data as a general rule. However, the LGPD uses the adjective “specific” instead of “explicit” (used in the GDPR) as an additional criteria for a valid consent in specific situations: sensitive data and international data transfers.
Both regulations are concerned with empowering data subjects with meaningful control and choice regarding their personal information. For example, the information should be clear, adequate, easily accessible and transparent by which data subjects should be properly informed about the processing of their personal data.
Legal bases for data processing
One of the major differences between the two laws is the legal bases for data processing. The GDPR’s original six include, explicit consent, contractual performance, public task, vital interest, legal obligation and legitimate interest.
The LGPD includes the six and adds an additional four: studies by a research body, exercise of rights in legal proceedings, health protection and credit protection.
Data Subjects’ Access Requests
An individual’s right to data access is guaranteed under both the GDPR and the LGPD. Data subjects can request access to the data a company has collected about them and can request further actions concerning it: its portability, deletion or correction.
The GDPR allows organizations 30 days to answer data subjects’ access requests, while the LGPD only gives them 15 days.
Mandatory Data Breach Notifications
While both laws have made data breach notifications mandatory, their requirements differ slightly.
The GDPR imposes a strict 72 hours in which companies are required to notify Data Protection Authorities (DPAs) of data breaches. On the other hand, organizations falling under the incidence of the LGPD must do so within an undefined “reasonable” time. The LGPD requires companies to also notify data subjects of data breaches, something that is not a requirement under the GDPR.
The GDPR’s notorious fines allow DPAs across Europe to issue fines of up to 4% of a company’s global annual turnover or €20,000,000 (roughly $22,000,000), whichever is higher.
Under the LGPD, organizations face similar penalties: up to 2% of their total revenue in Brazil in the previous year or up to 50,000,000 Brazilian Reals (approximately $13,000,000), whichever is higher. The LGPD also lists possible daily penalties to enforce compliance.
While there are a great number of similarities between the LGPD and the GDPR, there are points such as the legal bases and mandatory data breach notifications on which the LGPD goes further than the European legislation.